Observation of Common String Obfuscation Trick

String obfuscation has become an enemy of string/pattern matching since forever. With string obfuscation tricks, string/pattern matching with no proper handling will surely return no significant results. This kind of tricks has to be taken into consideration when developing a security tool with string/pattern matching as its one of the main engine.

In this post, we will going to look at few (yet famous) of the common obfuscation trick that are being used in JavaScript code.

String concatenation with “+” or ‘+’

This obfuscation trick is commonly being used in malicious JavaScript code. String concatenation in JavaScript functionalities allows actual string to be concatenated with the character “+” or ‘+’. For instance, document.write(“th”+”is”+” is “+”mal”+”iciou”+”s!”); are equivalent with document.write(“this is malicious!”); even though the form and length are not equal.

Comment

Comment obfuscation are also become a nuisance in deobfuscating the Javascript code. The previous example, document.write(“this is malicious!”); can also be represent into document/* comment 1 */.write/* comment 2 */(“this is malicious!”/* comment 3 */); which is also valid for code execution. This technique is also one of the preferred obfuscation to be included by attacker inside the malicious code.

Long spaces

Another annoying technique used in the malicious JavaScript code is the long spaces/tabs. In long spaces/tabs, normal code like document.write(“this is malicious!”); usually will represent something like document.write( “this is malicious!”); depending on the attackers’ creativity.

Analyst might need to take a proper string handling before string/pattern matching detection took place since the mentioned string obfuscation tricks above will surely evade the success of string/pattern matching –based tool. It is undoubtedly that analyst will have to give a huge effort in order for analysis tool to be useful for future usage.

Keep in mind that all of the above tricks are part of the JavaScript’s valid functionalities. Most of the scripting language also provide this kind of features and functionalities, and most of the programmers are benefited in good ways with these functionalities. Its idea is not for obfuscation but rather for flexibility in programming style. But good usually packaged with bad, and manipulation of this good functionalities makes it become a obfuscation trick for destructive purposes.